The Security Viewpoint - News and opinion on information security, data breaches, and compliance

The Security Viewpoint:

 

News and opinion on information security, data breaches, and compliance


Journey to the cloud: three perspectives

Given the phone hacking scandal, it’s unusual to find News Corp and the Metropolitan Police in the same room these days, but it happened this week when representatives from both organisations, plus one from the BBC, shared a platform to discuss their plans for the cloud.

The three people were on a panel at the Hosting & Cloud Transformation Summit in London, organised by 451 Research, and all of them have big plans for moving much of their computing into some kind of cloud platform.

By far the most advanced was News Corp, which has already shifted around 30% of its systems into the cloud; and that figure could rise to 80%,  according to Ian McDonald, the company’s head of infrastructure and cloud (a job title like that is a big clue to the organisation’s direction of travel). He said the company has adopted Google Mail, Google Apps, Salesforce and the Remedy cloud-based service-desk application, and also uses Amazon’s infrastructure as a service (IaaS) offering. Users loved the new model, he said, because it had replaced some creaky old applications and Exchange servers that had been constantly breaking down.

The only thing holding back faster progress is the need to wring some value out of a major hardware refresh thast took place three years ago. Once that investment has been written off, he said, many more applications and systems can move into the cloud.

The BBC’s strategic infrastructure manager John Beaver was far less gung-ho about the subject, although he is currently looking at where the cloud could be used effectively. He said the corporation has developed a process to assess the sensitivity of any data that might be put on to a cloud service, mainly because BBC correspondents have secret sources they have to protect. He was worried, he said, that the US authorities would be able to force US-owned cloud service operators to disclose such information under the terms of the Patriot Act. He also felt that many of the BBC’s legacy applications would be hard to switch into the cloud.

The Met Police are also at an early stage of investigation, but they do have a head of strategic cloud, Roger Saint, and he thinks that up to 60% of the force’s applications could end up in some form of cloud, either full public cloud or  a community-based service hosted in the UK. He said the cloud offers “a once in a lifetime opportunity” to make some radical changes, and to break down the siloed applications of the past.

The force’s current managed IT contract comes up for renewal in December 2015, he said, and he wants to be in a position to make full use of the new IT provision model after that date. However, the business case for moving to the cloud is still waiting to be approved.

All three panellists agreed that any cloud usage has to be done with care and with the full knowledge that it can break down at any time. News Corp’s McDonald said “you have to work on the basis that anything can fail”. He said that the company regularly experienced disk failures and file corruption when using Amazon’s infrastructure as a service offering. “You still have to make back-ups,” he said. Although he said the Amazon service was great, and improving, it still had “an ugly underlying design, you can imagine a lot of it being held together with duck tape.”

Everyone also agreed on the need to encrypt data held in the cloud, and insisted that security remains the reponsibiltiy of the client. “Your security depends on how you design your services,” said McDonald, “But you must always expect and plan for the worst.”

Finally, all three called for better standardisation across services, so that companies can mix and match services from different providers. The Met’s Roger Saint said the force has been in talks with around 80 potential providers over six months, and running workshops on the various areas of risk. “We would need an ecosystem of vendors with an interoperable platform,” he said.

All three agreed the market is still a long way from being able to provide that yet.